While I can simply have e.g. sshd in a chroot environment ("chrootenv") listen to a different port than its parent ("parentenv"), it would be more convenient to have that environment have an additional IP and hostname and have sshd listen to that IP's port 22. So basically I'd like to set up a chroot environment such that it behaves like a separate host in the network. How can this be achieved? Or is this something LXC or user-mode Linux (which I lack experience with) is better suited for?

1 Answer
1

Normally, chroot is about "limiting privileges", not granting users their own IF to play with...

But in any case: if you feel like doing some work, you may start your chroot environment within a new network namespace. You find an introduction here. Then the last command, the one that places you into the new network namespace, which in the guide above is

But the question that follows is: don't you think that using a Linux container (LXC, OpenVZ,VServer) would be faster and simpler? Isn't a chroot with an interface the very same thing as a Linux container? Generally, when security issues are no concern, that's the way I go.

Edit:

Ok, I see your plight. Still, there is one possibility. Make two virtual interfaces on the same card, and make sure they both get an IP address from your DHCP. Now configure ssh to bind to one of them. You can do this both for the ssh client and for the ssh server. For the client, the instruction is

ssh -b ip.address.tobin.to

while for the server you need to use the instruction

ListenAddress ip.address.tobind.to

in the file /etc/ssh/sshd_config. This way you have forced the host to use only one interface. Then enter the chroot jail, and use the other interface. I am shaky on busybox capabilites, so will state categorically that this will work. But it would work, if this were a chroot jail in a normal pc.

Thanks for your answer. The main reason I'm trying to do this with chroot is that it's a very limited system (the Linux on a Buffalo LinkStation NAS) with no package manager, so I want to "amiplify" it's functionality with Gentoo. Unfortunately, it also only comes with busybox (1.7), the ip command of which doesn't support netns... I'm pretty sure that the kernel doesn't support LXC, though the lack of source files makes that rather difficult (impossible?) to determine without compiling it.
–
Tobias KienzlerNov 5 '13 at 8:00

As a sidenote, ip addr add ...does work, so if I accept that the host can also "see" the additional IP all I need to do is figure out how to make the host sshd ignore the secondary IP while the chrooted one shall listed to that one's port 22
–
Tobias KienzlerNov 7 '13 at 11:21